Yep, I would like to read about that

  Too funny!

Not my first pentest, but one of the early ones where I compromised the network from an empty office with an IP phone (not even on a separate voice vlan so no vlan-hopping tricks needed), found a server with an extremely weak local administrator account that I bruteforced via RDP, grabbed the hashes and starting having some serious fun on the rest of the network. The funny thing was when I started scanning the internal network I found a server full of really disgusting porn. (I can never un-see some of those images *shudder*) In addition to the porn, but likely as a result of it, after further inspection I realized the server had been compromised and had a persistent outbound connection to a server in South America. I immediately reported it to my contact and was told it was the CEO's private stash and to please please not mention it in the report and they would clean up the infection.

Here is where I reached a moral and professional dilemma. I stand by the contents of my report. I sign off on the validity of it. How could I with a good conscience neglect to mention such an egregious security issue? I went back to my rules of engagement to see if I could find anything contained within that would give me some leeway to honor the customer's request. I'm being paid for a service and want to honor that request but I have to draw a line at compromising my own professional integrity. Nothing in the rules of engagement gave me what i was looking for so I opted to include the discovered connection but omit any mention of the images or what caused the issue other than what I described as "indiscriminate internet usage." When I met the CEO later at the exit meeting he was introduced to me by my contact as "a man of discriminating tastes" ostensibly referring to his rather high priced Mercedes and love of expensive wines. When my contact walked away I could see him holding two crossed fingers behind his back as he winked at me. Funniest.Pentest.EVAR!

I also want to point out that we should include policy violations in our reports as they are indicative of a systemic security issue. Un-enforcable policies or inconsistently applied policies are actually worse than no policy at all in my opinion. Good pentests will identify those meta-issues that have far greater impact on the security of an organization than any single SQLi flaw or single missing patch. I had to make a call and to this day I'm still not sure if it was the right one but sometimes we do what we have to to satisfy the customer. Luckily I was able to identify other policy violations so I could still identify that meta-issue without embarassing the CEO but if I had not, I'm not sure how I would have handled it. These are the kinds of situations that no certification program on the planet will prepare you for.

not my first (which was a complete fiasco because i was into security for about two weeks, firing random exploits and such) but a funny one:

i was doing a pentest on a web application that offered e-commerce functionality. it was possible to view the service after you purchased it. after providing your credentials it did around 2 or 3 authentication checks, but then you were redirected to an url that had the ordernr as an url parameter. changing this provided you with the order information of other customers. now the funny part was that all the information was provided in formfields, but were not editable. in the code there was a parameter like: CanModify=false. setting this to true lets you change the order and contact details of the person...

Nope, west coast U.S.